CWE-285

High likelihood

Improper Authorization

Parent: CWE-284 - Improper Access Control

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

1,318 vulnerabilities with CWE-285
CVE-2026-21724 MEDIUM
Missing Protected-field Authorization in Provisioning Contact Points API
CVSS 5.4
CVE-2026-34056 HIGH
OpenEMR <=8.0.0.3 Ensora eRx Logs - Privilege Escalation
CVSS 7.7
CVE-2026-34051 MEDIUM
OpenEMR has Improper ACL On Import/Export Popup
CVSS 5.4
CVE-2026-33222 MEDIUM
NATS JetStream Management API - Authorization Bypass
CVSS 4.9
CVE-2026-28881 MEDIUM
Apple macOS <26.4 - Info Disclosure
CVSS 5.5
CVE-2026-28865 HIGH
iOS and iPadOS < 18.7.7 - Authentication Bypass via Improved State Management
CVSS 7.5
CVE-2026-28845 MEDIUM
macOS < 26.4 - Unprotected User Data Exposure via Authorization Issue
CVSS 5.5
CVE-2026-28839 MEDIUM
macOS < 14.8.5, < 15.7.5, < 26.4 - Unprotected User Data Exposure via Improper Authorization
CVSS 5.3
CVE-2026-33162 MEDIUM
Craft CMS 5.3.0-5.9.13 - Entry Section Move Authorization Bypass
CVSS 6.5
CVE-2026-33680 HIGH
Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
CVSS 7.5
CVE-2026-33668 HIGH
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
CVSS 8.1
CVE-2026-4617 HIGH
SourceCodester Patients Waiting Area Queue Management System Patient Check-In api_patient_checkin.php ValidateToken improper authorization
CVSS 7.3
CVE-2026-32300 HIGH
Connect-CMS 1.x-1.41.0/2.x-2.41.0 - Privilege Escalation
CVSS 8.1
CVE-2026-4563 MEDIUM
MacCMS Member Order Detail User.php order_info authorization
CVSS 4.3
CVE-2026-4549 LOW
mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization
CVSS 3.1
CVE-2026-4548 MEDIUM
mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization
CVSS 6.3
CVE-2026-2294 MEDIUM
UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
CVSS 4.3
CVE-2026-33186 CRITICAL
gRPC-Go <1.79.3 HTTP/2 :path - Authorization Bypass
CVSS 9.1
CVE-2026-31836 HIGH
Mass Assignment Privilege Escalation in Checkmate
CVSS 8.1
CVE-2026-33125 HIGH
Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts
CVSS 7.1
CVE-2026-31869 MEDIUM
Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
CVSS 4.3
CVE-2026-30702 CRITICAL
WiFi Extender WDR201A HW V2.1 FW LFMZX28040922V1.02 - Auth Bypass
CVSS 9.8
CVE-2026-32692 HIGH
Unauthorized update of out-of-scope Vault secrets
CVSS 7.6
CVE-2026-21886 MEDIUM
OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities
CVSS 6.5
CVE-2026-3237 MEDIUM
Octopus Server <2025.3.14731 - Privilege Escalation
CVSS 4.3
Details
Vulnerabilities 1,318
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits